CVE-2025-66924 is a Cross-site Scripting (XSS) vulnerability identified in the Create/Update Item Kit(s) feature of Open Source Point of Sale (POS) version 3.4.1. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input in the 'name' parameter, allowing attackers to inject malicious JavaScript or HTML code. When a victim user accesses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions within the POS interface. This vulnerability is remotely exploitable without authentication, increasing its risk profile. Although no CVSS score has been assigned and no public exploits are known, the flaw's nature and affected component indicate a significant threat to the confidentiality and integrity of POS operations. The vulnerability could be leveraged to manipulate transaction data, steal sensitive customer or business information, or disrupt retail operations. The lack of a patch or mitigation details suggests that organizations must proactively implement input validation and output encoding as immediate countermeasures. Open Source POS is widely used in small to medium retail environments, making this vulnerability relevant to many European businesses reliant on this software for sales and inventory management.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized access to POS system sessions, enabling attackers to impersonate legitimate users and potentially manipulate sales data or access sensitive customer information. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting personal data. Retailers using Open Source POS may experience operational disruptions if attackers inject scripts that alter the user interface or cause erroneous transactions. The vulnerability also increases the risk of phishing or malware distribution through the POS interface. Given the critical role of POS systems in retail and hospitality sectors across Europe, successful exploitation could have cascading effects on business continuity and customer trust.

Organizations should immediately implement strict input validation and output encoding on the 'name' parameter within the Create/Update Item Kit(s) functionality to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the POS web interface. Monitor web application logs for suspicious input patterns indicative of XSS attempts. Segregate POS systems from broader corporate networks to limit lateral movement in case of compromise. Regularly update and patch Open Source POS software once an official fix is released. Conduct security awareness training for staff to recognize potential phishing or social engineering attempts that could leverage this vulnerability. Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the POS application.